Meta

Magento SUPEE-6788 Patch

Magento released a patch, SUPEE-6788, on October 27, 2015. This patch addresses protection against security related issues such as information leaks and remote code execution. A site can be compromised in many ways by these types of threads such as potentially having malware scripts running on your server or having sensitive information stolen. This patch allows Magento store owners to protect against these security compromises. Although, unlike most patches, it can be a little confusing to implement. Before implementing this patch, here are a few things you need to know.

1. Know the Version of Magento You Are Currently Using

Once you are logged into your magento admin panel, the Magento version is listed on the footer/bottom of the page. If you are on Community (Free) Edition (1.9.0.0) and happen to have version 1.9.2.2 installed, then your site is patched. An upgrade of the Magento software is required on any version before this.

2. Know Which Modules Need to be Upgraded

It is important to know which modules need to be upgraded. Most 3rd party modules have been impacted by this patch. Many of these extensions have updates that are applied to their software which require you to upgrade to be fully compatible with the patch. Make note of all of the 3rd party extensions you have purchased, if you have not already done so.

3. Pay Attention to Your Theme

There has also be some conflicts with themes and the patch. It is important to make sure you have a custom theme to request an updated version that is suited to work with this patch.

Other Things You Should Know

An issue that occurs with this patch upgrade is modules. It occurs when you try to view their settings in the Magento admin area, either do not load or cause errors. This is because those modules are required to be upgraded through a new setting. The setting can be found in System → Config → System → Admin and under ‘Security’ tab you will seen an option:

“Admin routing compatibility mode” → when set to ‘enabled’ can provide against one of the noted exploits. This update will need to be applied to some of the modules to allow this setting to not interfere with functionality of the module. Most key modules our clients depend on have the necessary updates, but each module needs to be tested when it’s upgraded to ensure that when logged into the admin you can edit the settings of those newly updated modules when the setting is ‘enabled’. You can usually something is wrong when you click on the module settings and instead of seeing the form fields/tabs/settings, you see a white blank page or an error output.